Vulnerabilities > Apache > Spark

DATE CVE VULNERABILITY TITLE RISK
2023-05-02 CVE-2023-32007 Unspecified vulnerability in Apache Spark
** UNSUPPORTED WHEN ASSIGNED ** The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable.
network
low complexity
apache
8.8
2023-04-17 CVE-2023-22946 Unspecified vulnerability in Apache Spark
In Apache Spark versions prior to 3.4.0, applications using spark-submit can specify a 'proxy-user' to run as, limiting privileges.
network
low complexity
apache
critical
9.9
2022-11-01 CVE-2022-31777 Unspecified vulnerability in Apache Spark
A stored cross-site scripting (XSS) vulnerability in Apache Spark 3.2.1 and earlier, and 3.3.0, allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the logs which would be returned in logs rendered in the UI.
network
low complexity
apache
5.4
2022-07-18 CVE-2022-33891 Unspecified vulnerability in Apache Spark
The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable.
network
low complexity
apache
8.8
2022-03-10 CVE-2021-38296 Authentication Bypass by Capture-replay vulnerability in multiple products
Apache Spark supports end-to-end encryption of RPC connections via "spark.authenticate" and "spark.network.crypto.enabled".
network
low complexity
apache oracle CWE-294
7.5
2021-02-26 CVE-2020-27223 Resource Exhaustion vulnerability in multiple products
In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e.
network
low complexity
eclipse apache netapp debian oracle CWE-400
5.3
2020-11-28 CVE-2020-27218 In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body.
network
high complexity
eclipse netapp oracle apache debian
4.8
2020-06-23 CVE-2020-9480 Missing Authentication for Critical Function vulnerability in multiple products
In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret.
network
low complexity
apache oracle CWE-306
critical
9.8
2020-01-29 CVE-2019-20445 HTTP Request Smuggling vulnerability in multiple products
HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.
network
low complexity
netty debian fedoraproject canonical redhat apache CWE-444
critical
9.1
2019-11-18 CVE-2019-10172 A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries.
network
low complexity
fasterxml redhat debian apache
7.5